Server Configuration > Post Install Server Security > Secure Sockets Layer > FIPS Support > FIPS Support
FIPS Support
The PTC RV&S server's SSL implementation can be configured to conform to the FIPS 140-2 standard. PTC RV&S uses the bc-fips-1.0.2.jar (a module from Bouncy Castle ) for FIPS 140-2 compliance. For TLSv1.3 support, PTC RV&S uses the bctls-fips-1.0.11.jar. The BC FIPS jar has been designed and implemented to meet FIPS 140-2, Level 1 requirements.
The FIPS 140-2 configuration is supported only for the following connections:
PTC RV&S client -PTC RV&S server
PTC RV&S server-PTC RV&S server
Web browser-PTC RV&S server
PTC RV&S Agent-PTC RV&S server
PTC RV&S API (Java or C)-PTC RV&S server
If you have not created a server certificate, follow the instructions provided in the PTC RV&S documentation to create the certificate, have it signed, and import it into the PTC RV&S server PKCS12 keystore:
<ServerInstalldir>/data/tls/certificate.p12
For more information on creating a server certificate, see Creating Signed Server Certificates.
Perform the following steps to configure PTC RV&S for FIPS:
1. Configure the Database server on SSL and obtain the public key certificate for the Database server. Import this certificate into the <ServerInstalldir>/data/tls/certificate.p12 keystore as a trusted certificate.
2. Configure additional parameters for the mks.dynamicPool.config property in the <ServerInstallDir>/config/properties/is.properties as follows:
mks.dynamicPool.config=url\=jdbc\:sqlserver\://<hostname>\:<port>;databaseName\=<dbname>;
selectMethod\=cursor;encrypt=true;fips=true;trustStoreType=PKCS12;fipsProvider=BCFIPS;
trustServerCertificate=false;hostNameInCertificate=<hostnameInCert>;trustStorePassword=<password>;
trustStore=<ServerInstallDir>/data/tls/certificate.p12,driver\=mks.frame.sql.jdbc.mssql.Driver,initialCapacity\=5,maxCapacity\=100,testTable\=VersionIdentity
3. Configure the PTC RV&S server to use BC FIPS provider for SSL by adding the following property to the <ServerInstallDir>/config/properties/is.properties:
mksis.secure.provider=bcfips
4. Restart the PTC RV&S server for the changes to take effect.
5. Modify the following lax files of standalone DB utilities such that the BC FIPS Provider is installed by these utilities:
<ServerInstallDir>/bin/isutil.lax
<ServerInstallDir>/bin/PatchServer.lax
<ServerInstallDir>/bin/collectSupportPackage.lax
6. Ensure that the property security.overridePropertiesFile is set to true in the <JDK_INSTALL_DIR>/lib/security/java.security file.
7. Note the highest number in the property security.provider.N where N is the property number. For example, consider NN as this number.
8. Create a new text file. In this case assume the new text file is JavaSecurityFips.txt and add the following entry to the file:
security.provider.M=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider where M is NN+1.
9. Edit each of the aforementioned lax files as follows:
a. Add the path of the bc-fips-1.0.2.jar, bctls-fips-1.0.11.jar, and bcprov-jdk15on-1.69 jar to the property lax.class.path. The path is :../server/mks/lib/bc-fips-1.0.2.jar:../server/mks/lib/bcprov-jdk15on-1.69.jar, which is relative to the location of the lax file.
b. Add a new argument -Djava.security.properties to the lax.nl.java.option additional property. Set its value to the location of the JavaSecurityFips file as follows:
lax.nl.java.option.additional=-Djava.security.properties=<location of JavaSecurityFips.txt>
10. In the mksservice.conf file, append the mks.java.classpath entries for the bc-fips-1.0.2.jar, bctls-fips-1.0.11.jar, and bcprov-jdk15on-1.69.jar in the following order:
mks.java.classpath.xx=/<serverinstalldir>/server/mks/lib/bc-fips-1.0.2.jar
mks.java.classpath.xx=/<serverinstalldir>/server/mks/lib/bcprov-jdk15on-1.69.jar
Ensure that the numbers xx trailing the mks.java.classpath property are unique and not repeated anywhere in the mksservice.conf file.
After editing the mksservice.conf file, stop and restart the PTC RV&S server.
Was this helpful?